@goodgamestudios/stp-cognito-auth NPM

AWS COGNITO POOL WITH USERS WITH GOOGLE GROUPS

This module provides a blueprint and helper files to create a user-pool configured with Google Identity Provider and triggers on SignUp that will try to match the Groups in the User Pool with the available Google Groups

Purpose

Handling Authentication (AuthN) to an Application via AWS Cognito User Pool where user management is automated via Google Email Groups.

AWS Cognito allows to manage the users of an application storing them in User Pools and organizing them into groups ( which might have different Authorization (AuthZ) levels) Users can be added manually to User Pools and Groups or can be imported from a CSV file or can sign-up to the application and be confirmed via a Lambda Trigger, a manual confirmation from Admin or via confimirmation code.

Requirement

In the case of internal application used by GGS Employees, users should be added or deleted from the user pool depending on the department they belong to.

Possible solutions:

LDAP / UAC / AD

Lightweight Directory Access Protocol is being used by Active Directory (the direcrory services implementation). User Access Control is bound to Active Directory. UAC has no groups or structure in terms of Organizational Units. Company structure is reflected in Active Directory and HR adds new employees to a specific AD Group that maps to a specific department.

Main pain points :

AD Group does not tell anything about teams or project inside that department though.
Changes to it might be very slow and info can get outdated.
Accessing AD from Lambda would be very tricky.

Google Groups

Google Groups also known as Mail Groups or Forums or Discussion Groups are listings of users/emails accounts used mainly by teams or project members to share information or as shared recipient for emails / warnings. They are mantained directly by the team lead or project manager.

Main pain points:

They could be outdated - but ownership of the group is very close to the team/department itself and update can be done immediately without relying on IT or HR

Choosen Solution:

Google Application + AWS Cognito User Pool with Google Identity Provider + AWS Amplify Authentication Module

More info about Requirement and Process can be found in this presentation

Your Application Architecture will therefore consist of this 3 components:

Frontend (ed React with AWS Amplify Auth module)
Backend ( Gateway API + Lambda with Cognito Authorizers)
Cognito User Pool and Lambda Triggers
These project provides you with all the necessary information on how to configure and setup the AuthN/AuthZ functionality connectiong Cognito User Pool with Google API Groups.

Project contains:

Sample Serverless configuration for the Creation of the User Pool ( copy it in your main project and edit it with your project details)
Shell script that will be executed after deployment to edit the User Pool with additional information regarding IdentityProvider Credentials and Client
src code with logic for
- retrieving google-groups for the current users,
- retrieve the available groups in the cognito pool
- and apply filters / matching and updates
triggers with logic for :
- granting access to app based and automatially signup user to the user pool based on the googlegroups to which they belong
- update the user pool adding the user to the matching groups ( must be done in a second step because at sign up user is not yet created and cannot be added to the groups )
- keeping Users in User pool uptodate ( if a user leaves a google group should be automatically deleted from the user pool group)